The UK NHS app, which acts as a COVID vaccine pass, records, and stores facial verification data. The data collection has raised privacy and transparency concerns as it involves a private company, iProov.
The NHS app is now used by more than 10 million people after it was adapted to act as the COVID-19 vaccine verification app. Before COVID, it was used to book GP appointments and access medical records.
During the login process, new users can use the optional video verification process. The process involves recording the video of a user’s face, which is sent to iProov for comparison with the anonymized photo IDs provided by the government.
The app also requires users to upload personal information such as the date of birth, phone number, postcode, and a photo of a government-provided identification document, such as a driving license.
The collection of the video verification data is happening under the NHS contract with iProov. But details of the contract, awarded in 2019, are yet to be published. The fact that the company is private and the lack of transparency about the contract has raised concerns among privacy advocates, The Guardian reports.
The NHS said it has not published details about the contract “for security reasons.” It cited the same reason for not publishing a data protection impact assessment of the NHS app, a report that explains how users; data is used, secured, and protected.
iProov refused to reveal how long it stores the facial data, with the NHS saying that the data is “not stored for longer than is necessary under the contract.”
Both the NHS and iProov maintain that the app’s users’ facial data is anonymized and well protected using technology edited by the NHS.
According to experts, however, the data collected through the app would be of interest to the government and intelligence agencies.
“If GCHQ acquired it and it was of use, the likely position is that they would share that with the [US] National Security Agency,” an anonymous surveillance law expert told The Guardian.
Privacy advocates raised concerns over the secrecy surrounding the contract and data collection.
Dr. Stephanie Hare, the author of Technology Ethics, said: “Transparency, explainability and accountability are the holy trinity of technology ethics and they fall down on every one of them.”
She also warned that such data collection could be difficult to get rid of.
“Once this stuff is brought in, it’s very difficult to get rid of. It’s the thin end of the wedge and Covid is an opportunity for companies to get a foothold.”
The director of Foxglove Cori Crider voiced similar concerns in the report, saying: “So long as this system to log into the NHS app is optional then it may be fine but officials definitely shouldn’t be ‘nudging’ patients to log in with their faces to access healthcare.
“We should all also reflect on whether we’re heading towards a world where people have to use their faces just to walk into the supermarket or the pharmacy or the nightclub.”The NHS said the app is helpful to millions and users’ data is safe.
“The NHS App is helping millions of people to quickly and easily access their NHS Covid Pass, and frees up time for GP surgeries by allowing people to book appointments and order repeat prescriptions online,” a spokesperson said.
“We use facial verification software when people decide to use the app to access their confidential patient data, as part of the high-level NHS login identity verification process which is clearly explained to app users.
“This means people using the NHS app can trust that their data will be safe and secure.”